Splunk Enterprise (on-prem)
Splunk Cloud 7.0, 7.1, 7.2
- VictorOps Subscription Required: Getting Started, Essentials, or Full-Stack
- Installation: location single instance Splunk or Splunk search head, if you would like to proceed with installation with SHC (search head clustering) please contact support for specific instructions.
- Additionally, on-prem customers will need to open port 443 for outgoing https communication with VictorOps. The full url used will be https://alert.victorops.com/integrations/generic/20131114/alert/$your_api_key/$your_routing_key.
Splunk transforms machine-generated data into valuable insights that can help make your business more productive, profitable and secure. The following guide will walk you through integrating VictorOps with action alerts from searches in Splunk Enterprise and cloud.
You will need an active VictorOps instance before you begin. Click here to start a free 14-day trial.
From the VictorOps web portal, select Settings, then Alert Behavior, and Integrations. Click the Splunk, Inc integration option.
Copy the API key from the “Service API Endpoint” field to the clipboard (This is the section after “…/alert/” and before “/$routing_key”).
From the Splunk Base, search for VictorOps, or follow this link. Click the Download button and accept the license agreements by checking the boxes and clicking Agree to Download.
Start Splunk and open the web UI in a browser. From the top navigation bar, expand the drop down menu and select Manage Apps. Next, click the button Install app from file.
Choose the VictorOps for Splunk app .tgz file downloaded earlier, check Upgrade app box to ensure your application is updated to the latest version. Click Upload then finish the process by restarting Splunk.
Once Splunk has restarted, return to the Manage Apps page and click Set Up next to the VictorOps app. On the set up page, paste the api key copied earlier, along with any routing key from your account.
VictorOps can now be used as an Alert Action.
Note that if you receive an error while updating you API key “Error while posting to url=/servicesNS/nobody/victorops_apps/storage/passwords/” the app must first be removed and reinstalled before updating your key.
Verify the Integration
From the Search app in Splunk, you can directly type
| sendalert victorops param.message_type="INFO"
to send a test alert directly to your VictorOps timeline. To create an incident, simply change INFO to CRITICAL. If you have any questions, please contact VictorOps support.
Here is an example of setting up a new alert based on a search. From a new search select Save As, then select Alert.
Give the alert a title, description and permissions as well configure the check schedule. Under + Add Actions, select VictorOps.
Select the desired message type, and use the state message field to add a brief description of what this particular alert indicates. You may overwrite the default values for the routing key and entity_id if desired, however, you should understand how best to use these fields. Additionally, you can dynamically reference Splunk fields within these assignments using tokens.
Once the specified conditions are met, you should see an alert appear in your VictorOps timeline.